Risk of 'data dumping' during transition to Government Security Classifications Policy (GSCP)

Auriga Consulting Ltd (Auriga), the data, ICT and security consultancy, has warned that public and private sector organisations could resort to reclassification in haste, or 'data dumping', in a bid to comply with the new Government Security Classifications Policy (GSCP). Central Government and their private sector suppliers have just nine months to transition from using the current six tiers of protective markings to three. Although the new system promises to simplify classification, the process could prove painful in the short term as organisations reevaluate data, assign categories and adjust their risk management posture.

The GSCP forms part of the Civil Service Reform Plan published in June 2013 which includes provisions for the simplification of security classifications and their risk-informed application. The current Government Protective Marking System (GPMS) will be superseded by GSCP, with the six tiers of TOP SECRET, SECRET, CONFIDENTIAL, RESTRICTED, PROTECT and UNCLASSIFIED being replaced by three: TOP SECRET, SECRET and OFFICIAL. The GSCP aims to reduce the complexity of data classification for government Departments, Agencies and their private sector suppliers. Finalised by Francis Maude, Minister for the Cabinet Office, in December 2012 with an anticipated launch of summer 2013, the new classifications policy gives organisations less than a year to complete transition planning before the go-live date of April 2014.

Transition to GSCP is further complicated by an overreliance on existing protective markings which has seen the six tiers used as the basis for the formulation of Departmental risk management policy. Government Departments and Agencies that have used the current protective marking system to direct risk management processes will no longer be able to rely on this for OFFICIAL assets, which will not be labeled by default. A taxonomy will need to be put in place to help direct the underpinning risk management processes and create a more informed risk-driven approach to management. However, data-type alone will not be enough for Departments to employ an appropriate approach to risk management; consideration will also have to be given to, for example, business objectives, legal obligations, and social remit or operational requirements in order to provide the necessary context to support a truly informed risk-driven approach to management.

The GSCP presents a real opportunity for Government Departments, Agencies and their private sector suppliers. "A data classification system should be an integral aspect of any organisation's data lifecycle processes, with the approach to risk management, and the necessary level of assurance, shaped by the characteristics of each classification. The GSCP can help Departments and Agencies realise the business and security benefits of this, but only if data classification is well thought-through, effectively integrated with the organisation's data lifecycle processes, and not done in haste," said Geoff Eden, Subject Matter Expert, Auriga.

"Departmental planning will have to be meticulous where possible and involve substantial business and process change in order to realise more effective working practices and the required cultural change and reform that the policy is hoping to deliver. That takes time and patience but GSCP is essentially a form of transition and change management. Transition, transformation and change management are a key part of what we do under our ShieldACL offering. We have engaged GSCP experts involved in the initial development of the new classifications policy and they, together with our complementary team of CLAS and CESG Certified Professional (CCP) consultants, Business Analysts and Technical Architects, are able to advise upon transition planning, assist with transitioning and provide effective risk-informed implementation," said Louise T. Dunne, Managing Director, Auriga.